Project

General

Profile

Actions

Bug #1211

closed

defrag issue

Added by Victor Julien over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Antonios Atlasis, working with ERNW GmbH, reported a serious IPv6 defrag issue. This issue has been fixed in Suricata 2.0.2.

The issue was caused by a logic error in the way the defrag timeout configuration was set up. If no config was found for a specific host, there would effectively be no timeout. This led to defrag 'trackers' being cleaned up prematurely. The premature clean up of the tracker lead to Suricata failing to perform the IP reassembly.

The failed reassembly of these IP packets then leads to missing packets in TCP stream reassembly, HTTP tracking and detection. Thus, a pretty serious issue.

Solution: upgrade to 2.0.2

A work around for 2.0 and 2.0.1 is to add the following config to your yaml:

defrag:
  memcap: 32mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60

  host-config:
    - all:
        timeout: 60
        address: ["0.0.0.0/0", "::/0"]

The top part is the default config in the yaml, the host-config part is the work around.

Even though it was reported as an IPv6 issue, I believe that IPv4 is also affected.

Thanks to Antonios Atlasis for reporting this issue.

Actions #1

Updated by Victor Julien over 7 years ago

  • Description updated (diff)
  • Status changed from Assigned to Closed
  • % Done changed from 70 to 100
Actions

Also available in: Atom PDF